CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-02-17 12:43:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into kilo

Browse Source
This commit is contained in:
Jason Ertel
2022-04-18 10:11:37 -04:00
parent 2d025e944c 3fb7399000
commit 159122b52c
15 changed files with 303 additions and 344 deletions
Download Patch File Download Diff File Expand all files Collapse all files

333
salt/common/tools/sbin/so-analyst-install
View File

@@ -15,295 +15,86 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html"
{# we only want the script to install the workstation if it is CentOS -#}
{% if grains.os == 'CentOS' -%}
{# if this is a manager -#}
{% if grains.master == grains.id.split('_')|first -%}
INSTALL_LOG=/root/so-analyst-install.log
exec &> >(tee -a "$INSTALL_LOG")
source /usr/sbin/so-common
pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
log() {
msg=$1
level=${2:-I}
now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
echo -e "$now | $level | $msg" >> "$INSTALL_LOG" 2>&1
}
if [ -f "$pillar_file" ]; then
if ! grep -q "^workstation:$" "$pillar_file"; then
error() {
log "$1" "E"
}
info() {
log "$1" "I"
}
title() {
echo -e "\n-----------------------------\n $1\n-----------------------------\n" >> "$INSTALL_LOG" 2>&1
}
logCmd() {
cmd=$1
info "Executing command: $cmd"
$cmd >> "$INSTALL_LOG" 2>&1
}
analyze_system() {
title "System Characteristics"
logCmd "uptime"
logCmd "uname -a"
logCmd "free -h"
logCmd "lscpu"
logCmd "df -h"
logCmd "ip a"
}
analyze_system
OS=$(grep PRETTY_NAME /etc/os-release | grep 'CentOS Linux 7')
if [ $? -ne 0 ]; then
echo "This is an unsupported OS. Please use CentOS 7 to install the analyst node."
exit 1
fi
if [[ "$manufacturer" == "Security Onion Solutions" && "$family" == "Automated" ]]; then
INSTALL=yes
CURLCONTINUE=no
else
INSTALL=''
CURLCONTINUE=''
fi
FIRSTPASS=yes
while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
if [[ "$FIRSTPASS" == "yes" ]]; then
clear
echo "###########################################"
echo "## ** W A R N I N G ** ##"
echo "## _______________________________ ##"
echo "## ##"
echo "## Installing the Security Onion ##"
echo "## analyst node on this device will ##"
echo "## make permanent changes to ##"
echo "## the system. ##"
echo "## ##"
echo "###########################################"
echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)"
FIRSTPASS=no
else
echo "Please type 'yes' to continue or 'no' to exit."
fi
read INSTALL
done
if [[ $INSTALL == "no" ]]; then
echo "Exiting analyst node installation."
exit 0
fi
echo "Testing for internet connection with curl https://securityonionsolutions.com/"
CANCURL=$(curl -sI https://securityonionsolutions.com/ | grep "200 OK")
if [ $? -ne 0 ]; then
FIRSTPASS=yes
while [[ $CURLCONTINUE != "yes" ]] && [[ $CURLCONTINUE != "no" ]]; do
while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
if [[ "$FIRSTPASS" == "yes" ]]; then
echo "We could not access https://securityonionsolutions.com/."
echo "Since packages are downloaded from the internet, internet access is required."
echo "If you would like to ignore this warning and continue anyway, please type 'yes'."
echo "Otherwise, type 'no' to exit."
echo "###########################################"
echo "## ** W A R N I N G ** ##"
echo "## _______________________________ ##"
echo "## ##"
echo "## Installing the Security Onion ##"
echo "## analyst node on this device will ##"
echo "## make permanent changes to ##"
echo "## the system. ##"
echo "## A system reboot will be required ##"
echo "## to complete the install. ##"
echo "## ##"
echo "###########################################"
echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)"
FIRSTPASS=no
else
echo "Please type 'yes' to continue or 'no' to exit."
fi
read CURLCONTINUE
fi
read INSTALL
done
if [[ "$CURLCONTINUE" == "no" ]]; then
if [[ $INSTALL == "no" ]]; then
echo "Exiting analyst node installation."
exit 0
fi
else
echo "We were able to curl https://securityonionsolutions.com/."
sleep 3
# Add workstation pillar to the minion's pillar file
printf '%s\n'\
"workstation:"\
" gui:"\
" enabled: true"\
"" >> "$pillar_file"
echo "Applying the workstation state. This could take some time since there are many packages that need to be installed."
if salt-call state.apply workstation -linfo queue=True; then # make sure the state ran successfully
echo ""
echo "Analyst workstation has been installed!"
echo "Press ENTER to reboot or Ctrl-C to cancel."
read pause
reboot;
else
echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/logs/salt/minion."
fi
else # workstation is already added
echo "The workstation pillar already exists in $pillar_file."
echo "To enable/disable the gui, set 'workstation:gui:enabled' to true or false in $pillar_file."
echo "Additional documentation can be found at $doc_workstation_url."
fi
# Install a GUI text editor
yum -y install gedit
# Install misc utils
yum -y install wget curl unzip epel-release yum-plugin-versionlock;
# Install xWindows
yum -y groupinstall "X Window System";
yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts;
unlink /etc/systemd/system/default.target;
ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target;
yum -y install file-roller
# Install Mono - prereq for NetworkMiner
yum -y install mono-core mono-basic mono-winforms expect
# Install NetworkMiner
yum -y install libcanberra-gtk2;
wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip;
mkdir -p /opt/networkminer/
unzip /tmp/nm.zip -d /opt/networkminer/;
rm /tmp/nm.zip;
mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/
chmod +x /opt/networkminer/NetworkMiner.exe;
chmod -R go+w /opt/networkminer/AssembledFiles/;
chmod -R go+w /opt/networkminer/Captures/;
# Create networkminer shim
cat << EOF >> /bin/networkminer
#!/bin/bash
/bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@"
EOF
chmod +x /bin/networkminer
# Convert networkminer ico file to png format
yum -y install ImageMagick
convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png
# Create menu entry
cat << EOF >> /usr/share/applications/networkminer.desktop
[Desktop Entry]
Name=NetworkMiner
Comment=NetworkMiner
Encoding=UTF-8
Exec=/bin/networkminer %f
Icon=/opt/networkminer/networkminericon-4.png
StartupNotify=true
Terminal=false
X-MultipleArgs=false
Type=Application
MimeType=application/x-pcap;
Categories=Network;
EOF
# Set default monospace font to Liberation
cat << EOF >> /etc/fonts/local.conf
<match target="pattern">
<test name="family" qual="any">
<string>monospace</string>
</test>
<edit binding="strong" mode="prepend" name="family">
<string>Liberation Mono</string>
</edit>
</match>
EOF
# Install Wireshark for Gnome
yum -y install wireshark-gnome;
# Install dnsiff
yum -y install dsniff;
# Install hping3
yum -y install hping3;
# Install netsed
yum -y install netsed;
# Install ngrep
yum -y install ngrep;
# Install scapy
yum -y install python36-scapy;
# Install ssldump
yum -y install ssldump;
# Install tcpdump
yum -y install tcpdump;
# Install tcpflow
yum -y install tcpflow;
# Install tcpxtract
yum -y install tcpxtract;
# Install whois
yum -y install whois;
# Install foremost
yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm;
# Install chromium
yum -y install chromium;
# Install tcpstat
yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm;
# Install tcptrace
yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm;
# Install sslsplit
yum -y install libevent;
yum -y install sslsplit;
# Install Bit-Twist
yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
# Install chaosreader
yum -y install perl-IO-Compress perl-Net-DNS;
yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
chmod +x /bin/chaosreader;
if [ -f ../../files/analyst/README ]; then
cp ../../files/analyst/README /;
cp ../../files/analyst/so-wallpaper.jpg /usr/share/backgrounds/;
cp ../../files/analyst/so-lockscreen.jpg /usr/share/backgrounds/;
cp ../../files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/;
else
cp /opt/so/saltstack/default/salt/common/files/analyst/README /;
cp /opt/so/saltstack/default/salt/common/files/analyst/so-wallpaper.jpg /usr/share/backgrounds/;
cp /opt/so/saltstack/default/salt/common/files/analyst/so-lockscreen.jpg /usr/share/backgrounds/;
cp /opt/so/saltstack/default/salt/common/files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/;
else # if the pillar file doesn't exist
echo "Could not find $pillar_file and add the workstation pillar."
fi
# Set background wallpaper
cat << EOF >> /etc/dconf/db/local.d/00-background
# Specify the dconf path
[org/gnome/desktop/background]
{#- if this is not a manager #}
{% else -%}
# Specify the path to the desktop background image file
picture-uri='file:///usr/share/backgrounds/so-wallpaper.jpg'
# Specify one of the rendering options for the background image:
# 'none', 'wallpaper', 'centered', 'scaled', 'stretched', 'zoom', 'spanned'
picture-options='zoom'
# Specify the left or top color when drawing gradients or the solid color
primary-color='000000'
# Specify the right or bottom color when drawing gradients
secondary-color='FFFFFF'
EOF
echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please view the documentation at $doc_workstation_url."
# Set lock screen
cat << EOF >> /etc/dconf/db/local.d/00-screensaver
[org/gnome/desktop/session]
idle-delay=uint32 180
{#- endif if this is a manager #}
{% endif -%}
[org/gnome/desktop/screensaver]
lock-enabled=true
lock-delay=uint32 120
picture-options='zoom'
picture-uri='file:///usr/share/backgrounds/so-lockscreen.jpg'
EOF
{#- if not CentOS #}
{%- else %}
cat << EOF >> /etc/dconf/db/local.d/locks/screensaver
/org/gnome/desktop/session/idle-delay
/org/gnome/desktop/screensaver/lock-enabled
/org/gnome/desktop/screensaver/lock-delay
EOF
echo "The Analyst Workstation can only be installed on CentOS. Please view the documentation at $doc_workstation_url."
# Do not show the user list at login screen
cat << EOF >> /etc/dconf/db/local.d/00-login-screen
[org/gnome/login-screen]
logo='/usr/share/pixmaps/so-login-logo-dark.svg'
disable-user-list=true
EOF
{#- endif grains.os == CentOS #}
{% endif -%}
dconf update;
echo
echo "Analyst workstation has been installed!"
echo "Press ENTER to reboot or Ctrl-C to cancel."
read pause
reboot;
exit 0

24
salt/common/tools/sbin/so-common
View File

@@ -120,6 +120,30 @@ check_elastic_license() {
fi
}
check_salt_master_status() {
local timeout=$1
echo "Checking if we can talk to the salt master"
salt-call state.show_top concurrent=true
return
}
check_salt_minion_status() {
local timeout=$1
echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
local status=$?
if [ $status -gt 0 ]; then
echo " Minion did not respond" >> "$setup_log" 2>&1
else
echo " Received job response from salt minion" >> "$setup_log" 2>&1
fi
return $status
}
copy_new_files() {
# Copy new files over to the salt dir
cd $UPDATE_DIR

6
salt/common/tools/sbin/so-saltstack-update
View File

@@ -32,11 +32,17 @@ copy_new_files() {
# Copy new files over to the salt dir
cd /tmp/sogh/securityonion
git checkout $BRANCH
VERSION=$(cat VERSION)
# We need to overwrite if there is a repo file
if [ -d /opt/so/repo ]; then
tar -czf /opt/so/repo/"$VERSION".tar.gz -C "$(pwd)/.." .
fi
rsync -a salt $default_salt_dir/
rsync -a pillar $default_salt_dir/
chown -R socore:socore $default_salt_dir/salt
chown -R socore:socore $default_salt_dir/pillar
chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
rm -rf /tmp/sogh
}

50
salt/common/tools/sbin/soup
View File

@@ -34,7 +34,15 @@ check_err() {
local err_msg="Unhandled error occured, please check $SOUP_LOG for details."
[[ $ERR_HANDLED == true ]] && exit $exit_code
if [[ $exit_code -ne 0 ]]; then
set +e
systemctl_func "start" "$cron_service_name"
systemctl_func "start" "salt-master"
systemctl_func "start" "salt-minion"
enable_highstate
printf '%s' "Soup failed with error $exit_code: "
case $exit_code in
2)
@@ -91,9 +99,7 @@ check_err() {
if [[ $exit_code -ge 64 && $exit_code -le 113 ]]; then
echo "$err_msg"
fi
set +e
systemctl_func "start" "$cron_service_name"
enable_highstate
exit $exit_code
fi
@@ -416,6 +422,7 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.3.80 ]] && up_to_2.3.90
[[ "$INSTALLEDVERSION" == 2.3.90 || "$INSTALLEDVERSION" == 2.3.91 ]] && up_to_2.3.100
[[ "$INSTALLEDVERSION" == 2.3.100 ]] && up_to_2.3.110
[[ "$INSTALLEDVERISON" == 2.3.110 ]] && up_to_2.3.120
true
}
@@ -429,6 +436,8 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.3.60 || "$POSTVERSION" == 2.3.61 || "$POSTVERSION" == 2.3.70 || "$POSTVERSION" == 2.3.80 ]] && post_to_2.3.90
[[ "$POSTVERSION" == 2.3.90 || "$POSTVERSION" == 2.3.91 ]] && post_to_2.3.100
[[ "$POSTVERSION" == 2.3.100 ]] && post_to_2.3.110
[[ "$POSTVERSION" == 2.3.110 ]] && post_to_2.3.120
true
}
@@ -492,6 +501,14 @@ post_to_2.3.110() {
POSTVERSION=2.3.110
}
post_to_2.3.120() {
echo "Post Processing for 2.3.120"
POSTVERSION=2.3.120
sed -i '/so-thehive-es/d;/so-thehive/d;/so-cortex/d' /opt/so/conf/so-status/so-status.conf
}
stop_salt_master() {
# kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
set +e
@@ -728,9 +745,6 @@ up_to_2.3.90() {
up_to_2.3.100() {
fix_wazuh
echo "Removing /opt/so/state files for patched Salt InfluxDB module and state. This is due to Salt being upgraded and needing to patch the files again."
rm -vrf /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdb_retention_policy.py.patched /opt/so/state/influxdbmod.py.patched
echo "Adding receiver hostgroup with so-firewall"
if so-firewall addhostgroup receiver 2>&1 | grep -q 'Already exists'; then
echo 'receiver hostgroup already exists'
@@ -743,11 +757,16 @@ up_to_2.3.100() {
}
up_to_2.3.110() {
echo "Updating to Security Onion 2.3.110"
echo "Updating shard settings for Elasticsearch index templates"
sed -i 's|shards|index_template:\n template:\n settings:\n index:\n number_of_shards|g' /opt/so/saltstack/local/pillar/global.sls
}
up_to_2.3.120() {
# Stop thehive services since these will be broken in .120
so-thehive-stop
so-thehive-es-stop
so-cortex-stop
}
verify_upgradespace() {
CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
if [ "$CURRENTSPACE" -lt "10" ]; then
@@ -885,6 +904,8 @@ upgrade_salt() {
else
echo "Salt upgrade success."
echo ""
echo "Removing /opt/so/state files for patched Salt InfluxDB module and state. This is due to Salt being upgraded and needing to patch the files again."
rm -vrf /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdb_retention_policy.py.patched /opt/so/state/influxdbmod.py.patched
fi
}
@@ -1014,6 +1035,17 @@ main() {
echo "### Preparing soup at $(date) ###"
echo ""
set_os
set_cron_service_name
if ! check_salt_master_status; then
echo "Could not talk to salt master"
echo "Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
echo "SOUP will now attempt to start the salt-master service and exit."
exit 1
fi
echo "This node can communicate with the salt-master."
echo "Checking to see if this is a manager."
echo ""
require_manager
@@ -1049,8 +1081,6 @@ main() {
echo "Verifying we have the latest soup script."
verify_latest_update_script
echo ""
set_os
set_cron_service_name
set_palette
check_elastic_license
echo ""

9
salt/elasticsearch/files/log4j2.properties
View File

@@ -11,10 +11,17 @@ appender.rolling.name = rolling
appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
appender.rolling.layout.type = PatternLayout
appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %.10000m%n
appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log
appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log.gz
appender.rolling.policies.type = Policies
appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.rolling.policies.time.interval = 1
appender.rolling.policies.time.modulate = true
appender.rolling.strategy.type = DefaultRolloverStrategy
appender.rolling.strategy.action.type = Delete
appender.rolling.strategy.action.basepath = /var/log/elasticsearch
appender.rolling.strategy.action.condition.type = IfFileName
appender.rolling.strategy.action.condition.glob = *.log
appender.rolling.strategy.action.condition.nested_condition.type = IfLastModified
appender.rolling.strategy.action.condition.nested_condition.age = 7D
rootLogger.level = info
rootLogger.appenderRef.rolling.ref = rolling

2
salt/logstash/etc/log4j2.properties
View File

@@ -18,7 +18,7 @@ appender.rolling.name = rolling
appender.rolling.fileName = /var/log/logstash/logstash.log
appender.rolling.layout.type = PatternLayout
appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %.10000m%n
appender.rolling.filePattern = /var/log/logstash/logstash-%d{yyyy-MM-dd}.log
appender.rolling.filePattern = /var/log/logstash/logstash-%d{yyyy-MM-dd}.log.gz
appender.rolling.policies.type = Policies
appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.rolling.policies.time.interval = 1

11
salt/workstation/packages.sls
View File

@@ -1,3 +1,6 @@
{# we only want this state to run it is CentOS #}
{% if grains.os == 'CentOS' %}
xwindows_group:
pkg.group_installed:
- name: X Window System
@@ -45,3 +48,11 @@ workstation_packages:
- perl-Net-DNS
- securityonion-chaosreader
- securityonion-analyst-extras
{% else %}
workstation_packages_os_fail:
test.fail_without_changes:
- comment: 'SO Analyst Workstation can only be installed on CentOS'
{% endif %}

10
salt/workstation/remove_gui.sls
View File

@@ -1,5 +1,15 @@
{# we only want this state to run it is CentOS #}
{% if grains.os == 'CentOS' %}
remove_graphical_target:
file.symlink:
- name: /etc/systemd/system/default.target
- target: /lib/systemd/system/multi-user.target
- force: True
{% else %}
workstation_trusted-ca_os_fail:
test.fail_without_changes:
- comment: 'SO Analyst Workstation can only be installed on CentOS'
{% endif %}

23
salt/workstation/trusted-ca.sls
View File

@@ -1,16 +1,19 @@
{% set global_ca_text = [] %}
{% set global_ca_server = [] %}
{% set manager = salt['grains.get']('master') %}
{% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
{# we only want this state to run it is CentOS #}
{% if grains.os == 'CentOS' %}
{% set global_ca_text = [] %}
{% set global_ca_server = [] %}
{% set manager = salt['grains.get']('master') %}
{% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
{% for host in x509dict %}
{% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import'] %}
{% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
{% do global_ca_server.append(host) %}
{% endif %}
{% endfor %}
{% set trusttheca_text = global_ca_text[0] %}
{% set ca_server = global_ca_server[0] %}
{% set trusttheca_text = global_ca_text[0] %}
{% set ca_server = global_ca_server[0] %}
trusted_ca:
x509.pem_managed:
@@ -22,3 +25,11 @@ update_ca_certs:
- name: update-ca-trust
- onchanges:
- x509: trusted_ca
{% else %}
workstation_trusted-ca_os_fail:
test.fail_without_changes:
- comment: 'SO Analyst Workstation can only be installed on CentOS'
{% endif %}

12
salt/workstation/xwindows.sls
View File

@@ -1,3 +1,7 @@
{# we only want this state to run it is CentOS #}
{% if grains.os == 'CentOS' %}
include:
- workstation.packages
@@ -9,3 +13,11 @@ graphical_target:
- require:
- pkg: X Window System
- pkg: graphical_extras
{% else %}
workstation_xwindows_os_fail:
test.fail_without_changes:
- comment: 'SO Analyst Workstation can only be installed on CentOS'
{% endif %}

66
setup/so-functions
View File

@@ -138,6 +138,30 @@ analyze_system() {
logCmd "ip a"
}
analyst_salt_local() {
# Install everything using local salt
# Set the repo
securityonion_repo
gpg_rpm_import
# Install salt
logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
logCmd "yum -y update --exclude=salt*"
salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile
read -r -d '' message <<- EOM
Finished Analyst workstation installation.
Press ENTER to reboot.
EOM
whiptail --title "$whiptail_title" --msgbox "$message" 12 75
reboot
exit 0
}
analyst_workstation_pillar() {
local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
@@ -232,36 +256,6 @@ check_service_status() {
}
check_salt_master_status() {
local timeout=$1
echo "Checking if we can talk to the salt master" >> "$setup_log" 2>&1
salt-call saltutil.kill_all_jobs > /dev/null 2>&1
salt-call state.show_top -t $timeout > /dev/null 2>&1
local status=$?
if [ $status -gt 0 ]; then
echo " Could not talk to salt master" >> "$setup_log" 2>&1
return 1;
else
echo " Can talk to salt master" >> "$setup_log" 2>&1
return 0;
fi
}
check_salt_minion_status() {
local timeout=$1
echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
local status=$?
if [ $status -gt 0 ]; then
echo " Minion did not respond" >> "$setup_log" 2>&1
return 1;
else
echo " Received job response from salt minion" >> "$setup_log" 2>&1
return 0;
fi
}
check_soremote_pass() {
check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH"
}
@@ -910,6 +904,8 @@ check_requirements() {
if [[ -n $nsm_mount ]]; then
if [[ "$standalone_or_dist" == 'import' ]]; then
req_storage=50
elif [[ "$node_type" == 'idh' ]]; then
req_storage=12
else
req_storage=100
fi
@@ -922,6 +918,8 @@ check_requirements() {
else
if [[ "$standalone_or_dist" == 'import' ]]; then
req_storage=50
elif [[ "$node_type" == 'idh' ]]; then
req_storage=12
else
req_storage=200
fi
@@ -1521,7 +1519,7 @@ generate_passwords(){
}
generate_repo_tarball() {
mkdir /opt/so/repo
mkdir -p /opt/so/repo
tar -czf /opt/so/repo/"$SOVERSION".tar.gz -C "$(pwd)/.." .
}
@@ -1963,7 +1961,7 @@ minio_generate_keys() {
network_init() {
disable_ipv6
set_hostname
if [[ "$setup_type" == 'iso' ]]; then
if [[ ( $is_iso || $is_analyst_iso ) ]]; then
set_management_interface
fi
}
@@ -2423,8 +2421,8 @@ securityonion_repo() {
# update this package because the repo config files get added back
# if the package is updated when the update_packages function is called
logCmd "yum -v -y update centos-release"
echo "Move the .repo files that were added by the centos-release package."
find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/
echo "Backing up the .repo files that were added by the centos-release package."
logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/"
logCmd "yum repolist all"
fi
else

2
setup/so-preflight
View File

@@ -96,7 +96,7 @@ check_new_repos() {
local repo_arr=(
"https://download.docker.com/linux/ubuntu/gpg"
"https://download.docker.com/linux/ubuntu"
"https://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3003/SALTSTACK-GPG-KEY.pub"
"https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub"
"https://packages.wazuh.com/key/GPG-KEY-WAZUH"
"https://packages.wazuh.com"
)

34
setup/so-setup
View File

@@ -100,11 +100,29 @@ if [[ $is_analyst ]]; then
fi
if ! whiptail_analyst_install; then
# Lets make this a standalone
echo "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target
startx
exit 0
if [[ $is_analyst_iso ]]; then
if whiptail_analyst_nongrid_iso; then
echo "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target
startx
exit 0
else
# Abort!
exit 0
fi
else
if whiptail_analyst_nongrid_network; then
echo ""
echo ""
echo "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection."
echo ""
echo ""
analyst_salt_local
else
# Abort!
exit 0
fi
fi
fi
# If you got this far then you want to join the grid
@@ -333,7 +351,6 @@ elif [ "$install_type" = 'RECEIVER' ]; then
is_minion=true
is_receiver=true
elif [ "$install_type" = 'ANALYST' ]; then
cd .. || exit 255
exec bash so-setup analyst
fi
@@ -1064,6 +1081,11 @@ echo "1" > /root/accept_changes
set_progress_str 87 'Adding user to SOC'
add_web_user >> $setup_log 2>&1
fi
if [[ $is_analyst ]]; then
# Remove access to the manager from the analyst workstation
rm -rf /root/.ssh/so.key*
fi
set_progress_str 90 'Enabling checkin at boot'
checkin_at_boot >> $setup_log 2>&1

61
setup/so-whiptail
View File

@@ -43,7 +43,42 @@ whiptail_analyst_install() {
Would you like to join this workstation to an existing grid?
NOTE: Selecting "no" will enable X Windows and set it to load at boot.
EOM
whiptail --title "$whiptail_title" \
--yesno "$message" 11 75 --defaultno
}
whiptail_analyst_nongrid_iso() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
You have selected this Analyst workstation to be independent.
Would you still like to have the graphical interface loaded at boot?
NOTE: Selecting no will exit without making changes.
EOM
whiptail --title "$whiptail_title" \
--yesno "$message" 11 75 --defaultno
}
whiptail_analyst_nongrid_network() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
You have selected this Analyst workstation to be independent.
Would you still like to install and load the graphical interface?
NOTE: Selecting no will exit without making changes.
EOM
whiptail --title "$whiptail_title" \
--yesno "$message" 11 75 --defaultno
@@ -595,14 +630,16 @@ whiptail_end_settings() {
__append_end_msg " Logstash Batch Size: $LSPIPELINEBATCH"
__append_end_msg " Logstash Input Threads: $LSINPUTTHREADS"
else
if [[ ! $is_receiver ]]; then
__append_end_msg "Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE"
__append_end_msg "Elasticsearch Storage Space: ${log_size_limit}GB"
if [[ ! $is_analyst ]]; then
if [[ ! $is_receiver ]]; then
__append_end_msg "Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE"
__append_end_msg "Elasticsearch Storage Space: ${log_size_limit}GB"
fi
__append_end_msg "Logstash Heap Size: $NODE_LS_HEAP_SIZE"
__append_end_msg "Logstash Worker Count: $LSPIPELINEWORKERS"
__append_end_msg "Logstash Batch Size: $LSPIPELINEBATCH"
__append_end_msg "Logstash Input Threads: $LSINPUTTHREADS"
fi
__append_end_msg "Logstash Heap Size: $NODE_LS_HEAP_SIZE"
__append_end_msg "Logstash Worker Count: $LSPIPELINEWORKERS"
__append_end_msg "Logstash Batch Size: $LSPIPELINEBATCH"
__append_end_msg "Logstash Input Threads: $LSINPUTTHREADS"
fi
@@ -899,14 +936,14 @@ whiptail_install_type_other() {
# so only show it on network installs for now
if [[ $setup_type == 'network' ]]; then
install_type=$(whiptail --title "$whiptail_title" --radiolist \
"Choose distributed node type:" 9 65 2 \
"ANALYST" "Quit setup and run so-analyst-install " ON \
"Choose node type:" 9 65 2 \
"ANALYST" "Setup will run 'so-setup analyst' " ON \
"HELIXSENSOR" "Create a Helix sensor " OFF \
3>&1 1>&2 2>&3
)
else
install_type=$(whiptail --title "$whiptail_title" --radiolist \
"Choose distributed node type:" 8 65 1 \
"Choose node type:" 8 65 1 \
"HELIXSENSOR" "Create a Helix sensor " ON \
3>&1 1>&2 2>&3
)
@@ -2011,7 +2048,7 @@ whiptail_you_sure() {
read -r -d '' you_sure_text <<- EOM
Welcome to Security Onion Setup!
You can use Setup for lots of different use cases from a small standalone installation to a large distributed deployment for your enterprise. Don't forget to review the documentation at:
You can use Setup for several different use cases, from a small standalone installation to a large distributed deployment for your enterprise. Don't forget to review the documentation at:
https://docs.securityonion.net
Setup uses keyboard navigation and you can use arrow keys to move around. Certain screens may provide a list and ask you to select one or more items from that list. You can use [SPACE] to select items and [ENTER] to proceed to the next screen.

4
so-analyst-install
View File

@@ -15,6 +15,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
cd "$(dirname "$0")/salt/common/tools/sbin" || exit 255
cd "$(dirname "$0")/setup" || exit 255
./so-analyst-install
./so-setup analyst "$@"